Designing privacy-first apps

Tech
5
minute read

Many people first heard the term ‘privacy by design’ after the EU adopted the General Data Protection Regulation (GDPR) in 2016. The seven foundational principles that make up this approach to systems engineering have, since their publication back in the mid-90s, been adopted worldwide and to varying degrees. Among developers and IT professionals, the concepts of privacy and Value Sensitive Design more generally have guided technological development for a while. 

At no time has this been more important than now. Social media over-sharing. Online profiles to manage everything from your grocery shop to your doctors’ appointments. Contact tracing technology in the time of COVID. These all add to the vast amount of personal data users are encouraged or compelled to share to access even basic services. Privacy, it seems, is a paradox in the digital era. 

Not so. For privacy-conscious users, there are a growing number of technologies available that protect their personal information and even function without the initial provision of such data. For privacy-conscious developers, there are a myriad of opportunities to improve existing applications - and even to build entirely new products. 

In fact, we recently did just such a thing. Building our Ethical Tracer proof of concept app in 2020 allowed us to test out geofencing and obfuscation technology. It’s also worth noting that there is a sizeable overlap between privacy and security - a secure application protects users’ privacy. 

Here’s how we design privacy-first apps at Lola Tech:

  • We start the same way as we do for any app - we use our current favourite, React Native. You can read more about how we develop apps in this recent article on our blog
  • We forego caching: customer data is never cached on the user’s device in between sessions 
  • We prioritise in-memory caching and the control of app foreground/background state

That last point might require some explanation: The type of data accessible to the user of a phone changes with whether the app this data is entered in is being actively used (in the foreground of the mobile device) or running in the background (of the device). In practice, this means we can hide sensitive data when the app is inactive, only showing it when the user has logged back. Or we can request re-authorisation when the user navigates back to the app after a certain period of time. Many banking apps use a very strict version of the latter method, immediately logging out users once they navigate away from the app. Say you want to transfer money but need to check the account number your friend has sent you via WhatsApp - you navigate to your chat exchange, but when you return to your banking app it has logged you out. While not very convenient, this does prevent you from leaving your banking app open, which could allow unauthorised access by someone who may have physical or virtual control over your phone at a later time.

We also follow MASVS-R (Mobile Application Security Verification Standard - Resiliency Against Reverse Engineering and Tampering) requirements for all this, which we have found to be the most exacting in the industry. In short, MASVS-R stipulates that

  • The app is resilient against specific, clearly defined client-side attacks (e.g. tampering or reverse engineering)
  • The app either leverages hardware security features or sufficiently strong software protection techniques

Key to all this is a deep understanding of threats to data security and privacy and taking active measures to manage these risks. A good privacy-first app minimises risks to the user’s data by ingesting less personal data to begin with, and then manages the residual risk by having in-built safeguards in place. 

Lastly, we are also always keen to partner with experts in the security industry, in this case, JScrambler, who offer client-side security solutions for JavaScript in-app protection. Their team specialises in protecting web and hybrid apps with polymorphic obfuscation, code locks, and self-defensive capabilities, and by working with them we ensure we don’t miss any tricks. 

If you need to develop an app but don’t know where to start, or are stuck (it happens!), let’s have a chat. Contact us via email or the online contact form on this site.

Have a project in mind? Let's talk.

Contact us